More on the IE 0-day - Hupigon Joins The Party

It was just a few days ago when Symantec disclosed a new 0-day vulnerability in Microsoft's Internet Explorer (versions 6, 7, and 8). They found at least one malware called 'Backdoor.Pirpi' that is actively exploiting this vulnerability in targeted email attacks posing as hotel reservation notifications.

Here at FireEye labs, we have identified another type of Modern Malware called 'Hupigon' exploiting the same IE zero-day vulnerability. This malware looks to be more successful/reliable at infecting systems than Pirpi.

It is increasingly common that cyber criminals 'upgrade' Modern Malware with newly uncovered zero-day exploits. Now the question is, are the criminal masterminds behind this second wave of attacks the same as those behind the first wave? In this article I will try to answer this question.

In order to find a link, let's compare these attacks side-by-side.

1. Hupigon

The initial attack was seen hidden inside the compromised web site www.[XX]box.com. The unfortunate visitors to this web site were redirected to www.[XX]box.com/1.htm which contained the actual exploit. After a successful exploitation, the shellcode would fetch a GIF file named '[XXX]hack.gif'. This GIF "file" is actually an obfuscated command (with fake GIF header) containing the URL of the second stage binary '1.exe' (Hupigon).

Here is the screen shot of this end to end attack.

I tested this exploit many times and found it to be very reliable!

2. Backdoor.Pirpi

Now, back to the original malware that exploited the IE zero-day recently uncovered. The initial attack was seen hidden inside another compromised web site named www.[XX]unclub.com. After successful exploitation, the shellcode would fetch a GIF file named 'lin[X]bl.gif'. This GIF is actually an obfuscated executable binary (also utilizing a fake GIF header) called 'alg.exe' (a.k.a. Backdoor.Pirpi).

Here is a screen shot of the end-to-end attack.

Based on my lab results , I did not find this exploit to be particularly reliable. Most of the time, it would simply crash Internet Explorer. That's good news and can be considered a mitigating factor of why this attack using a zero-day vulnerability hasn't been more successful.

Here are a few more details on how Backdoor Pirpi communicates with its CnC infrastructure. At the moment, it's communicating to a command server with IP 195.178.114.26 located in Poland. In the past, other Pirpi variants have been seen talking to 69.60.106.176 and www.twadcorp.com.

Part of these URIs are randomly generated to fool signature based IDS (intrusion detection systems). Please note here that the response to these .GIF object requests return similarly obfuscated command objects(!) as we now see in the case of Hupigon.

When both attacks are analyzed side-by-side, there are enough similarities to assume that the cyber criminals behind both of these Modern Malware attacks are closely linked.

Here's a summary of the similarities:

1. BOTH Pirpi and Hupigon are using the same IE 0-day at almost within the same time frame.

2. BOTH are using the fake GIF format to conceal their second stage malware binaries. In the case of Pirpi, the complete binary was obfuscated within a fake GIF file. Similarly, in the case of Hupigon, the URL to the second stage binary was obfuscated in a similar fashion.

3. BOTH the malware Pirpi and Hupigon are very powerful backdoors and provide full access to the vulnerable system.

4. Although both of the malware are using the same 0-day vulnerability, neither malware should be considered "New". Pirpi has its roots back in mid-2009 and Hupigon back in 2007-2008.

At this time it appears that the majority of cyber criminals do not have access to this exploit. But in the coming days, as the research community releases more and more details, other groups will likely come into play and start using this vulnerability as a powerful vehicle to launch new cyber attacks.